| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAS2fgRWtuxo9AhYXqcspteMtf1FXE5zj6viTeYV3h=Dfo8FeQ@mail.gmail.com> Date: Mon, 26 Sep 2016 09:08:00 +0000 From: Gregory Maxwell <gmaxwell@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Can we add back Argon2id? On Mon, Sep 26, 2016 at 8:21 AM, Krisztián Pintér <pinterkr@...il.com> wrote: > On Fri, Sep 23, 2016 at 10:32 PM, Bill Cox <waywardgeek@...il.com> wrote: >> Can we add back Argon2id? > > one vote against. if the attack model includes side channels, 2i is > the way to go. if it does not, 2d. 2id would be useful if the attack > model sorta included side channels, but sorta didn't. or we don't > care, but want to check the box. i don't see the realism in this > scenario. My understanding is that 2id addresses the case where the sidechannel concern is that the sidechannel allows fast memory free elimination of candidate passwords, but otherwise you don't care about the side channel. Personally, I was disappointed that PHC anointed anything which wasn't at least this strong-- sidechannels are a reality and are fiendishly difficult to defend against except by architecture. It seems irresponsible to disregard them as completely as fully dynamic algorithms do.
Powered by blists - more mailing lists